I own a lock system that uses SRI512 cards. My supplier (manufacturer of the locks) sells the cards at a very expensive price, so I decided to buy them online. Once they arrived, when I tried to write them, through the proprietary reader, the writer would not write on them, although it recognizes them.
I did a dump of a blank card (given by the manufacturer) and noticed that in the fifth block there is a value, all the remaining card is blank. By changing the card the value of the block changes. Obviously trying to using that block from a working card doesn't work and that's why I think there is an algorithm that turns the UID of the card into these 24 bits (in this way, the system only allows cards distributed by the manufacturer).
I decided to get more data by getting block 5 of every blank card I had, that's about 50.
D0021B6847E77BD3 -> 01 2B 3D A9
D0021B6847E77D68 -> 01 EB AA 3D
D0021B6847E78738 -> 01 B5 5D 18
D0021B6847E789C0 -> 01 35 CA 34
D0021B6847EA2AE3 -> 01 87 27 4B
D0021B6847EAB92C -> 01 B3 4A 2D
D0021B6847EABDAA -> 01 96 57 11
D0021B6847EAC34D -> 01 BC B3 5C
D0021B6847EAC5F6 -> 01 BB C7 42
D0021B6847EB28FD -> 01 3B F4 03
D0021B6847EB2AC0 -> 01 FD F6 71
D0021B6847EB2C7B -> 01 98 5D 94
D0021B6847EB2E46 -> 01 DC A1 23
D0021B6847EB3481 -> 01 96 76 9C
D0021B6847EB36BC -> 01 B1 2E 0A
D0021B68480B086D -> 01 7F D2 83
D0021B68480B0A50 -> 01 6F 35 6E
D0021B68480B396A -> 01 1A F5 13
D0021B68480B3B57 -> 01 81 06 F1
D0021B68480D878B -> 01 69 BD 13
D0021B68480D8973 -> 01 4F 42 01
D0021B68480D93B4 -> 01 2D 5E 8D
D0021B68DCB18896 -> 01 D5 B8 81
D0021B68DCB18AAB -> 01 19 8A C6
D0021B68DCB196D7 -> 01 EF 9A 3B
D0021B68DCBF3D1D -> 01 73 74 0B
D0021B68DCC0352B -> 01 E2 1E 35
D0021B68DCC03F55 -> 01 BE 08 F4
D0021B68DCC041B2 -> 01 97 A5 96
D0021B68DCC065F0 -> 01 94 2C B5
D0021B68DCC067CD -> 01 82 EB E1
D0021B68DCC46D6F -> 01 B2 8E 99
D0021B68DCC46E28 -> 01 8E 7C 55
D0021B68DCC47DD6 -> 01 C9 E4 80
D0021B68DCCE0B95 -> 01 73 6F 85
D0021B68DCCE15D4 -> 01 33 3D 54
D0021B68DCCE578B -> 01 A4 92 2E
D0021B68DCCE5DF5 -> 01 66 D1 98
D0021B68DCCE6370 -> 01 F6 C0 4F
D0021B68DCDCE779 -> 01 D2 4D CB
D0021B68DCDCE981 -> 01 F7 6D 34
D0021B68DCDD34F7 -> 01 E7 C7 DE
D0021B68DCDD406E -> 01 F2 AF 98
D0021B68DCE60945 -> 01 C0 35 51
D0021B68DCE61539 -> 01 76 71 8D
D0021B68DCE63EF9 -> 01 C2 44 63
D0021B68DCE64498 -> 01 F6 71 6B
D0021B68DCFAF9EE -> 01 1D 03 BF
D0021B68DCFAFF55 -> 01 20 62 ED
D0021B68DCFB0526 -> 01 15 2C E9
D0021B68DCFB0AA4 -> 01 83 FD 79
D0021B68DCFB0C1F -> 01 E1 E6 09
D0021B68DCFB16D8 -> 01 68 8F CA
D0021B68DD02FF77 -> 01 57 63 0A
D0021B68DD034621 -> 01 49 50 DC
D0021B68DD0348D9 -> 01 6F 68 02
Added [45]:
D002196E1B02AC51 -> 01 89 76 A7
D002198F160A3050 -> 01 AD EA A7
D002198F160A3638 -> 01 17 DA EF
D002198F160A7AAE -> 01 43 9F CD
D00219901F512085 -> 01 4E E6 20
D00219901F512746 -> 01 A7 64 4E
D00219901F512A6F -> 01 A2 15 24
D00219901F512B47 -> 01 6E 01 6F
D00219901F512C74 -> 01 FE 02 B2
D00219901F51334D -> 01 C7 0F E7
D00219901F513C37 -> 01 7D D5 D6
D00219901F513F3B -> 01 9A 54 49
D00219901F514244 -> 01 31 9F B1
D00219901F514881 -> 01 06 A0 09
D00219901F514C42 -> 01 9C 3B D0
D00219901F51565D -> 01 39 BF 94
D00219901F515929 -> 01 AD B8 81
D00219901F515D39 -> 01 63 A2 F9
D00219901F515F8E -> 01 45 A5 C4
D00219901F5164A1 -> 01 2C 90 51
D00219901F516F5D -> 01 52 95 44
D00219901F517022 -> 01 FA 43 46
D00219901F518D40 -> 01 77 83 94
D00219901F51927C -> 01 EA 9A F1
D00219901F519397 -> 01 28 AB 7C
D00219901F51B462 -> 01 36 D2 2E
D002199117D14063 -> 01 F7 AF D0
D002199117D1471F -> 01 93 1D 36
D002199117D17F3D -> 01 D5 E6 54
D0021B6847E94417 -> 01 8F 92 AD
D0021B6847E98E3A -> 01 E9 AD 99
D0021B6847E9907B -> 01 DA 02 30
D0021B68480B0213 -> 01 26 D1 5F
D0021B68480B0ED6 -> 01 47 76 7D
D0021B68480B35AF -> 01 A2 D9 56
D0021B68480D8DF5 -> 01 E8 EC CC
D0021B68DCC03390 -> 01 BD 42 5E
D0021B68DCDD36CA -> 01 EF A3 64
D0021B68DCE60B78 -> 01 D6 F0 65
D0021B68DCE60DC3 -> 01 E4 DC A0
D0021B68DCE61704 -> 01 30 94 D8
D0021B68DCE6401E -> 01 9E D6 2B
D0021B68DD03409A -> 01 84 61 77
D0021B68DD034AE4 -> 01 31 1C 0C
D0021B68DD034C5F -> 01 1D DE 3B
So here is what I know or what I have inferred:
- I think the
01is not part of the output of the algorithm, whether it is a CRC, hash function or something else is very unlikely to be part of the output, so the output is24bits and not32. - I don't know if it helps but you have to take into account that the UID consists of 4 parts:
D0= Prefix,02= Manufacturer,000110[binary] (6 in decimal) = Card model (SRI512). The remaining42bits are the serial. - I don't know whether the entire UID is taken as input or only a part, but I noticed that among the examples I have available there are cases where the UID ends with the same 3 digits, which is why the algorithm must take as input at least the last 4 (or more).
- I have made several attempts and the closest thing I could find is Reverse-engineering a weird 24-bit possibly not CRC checksum, but I am unable to apply it.
- I have considered other alternatives, if only to test the reasoning such as buying cards with modifiable UIDs but SRI512s do not exist.
- If I keep buying the cards from the manufacturer over time I will get more and more examples
I can't figure out what algorithm is being used.
Update: I managed to find a file explaining that the encryption used is 3DES-AES, I think at this point the question should be moved. However I don't know yet if it is used in this conversion, even if it is very likely.
